Understanding Error 403 Forbidden

Error 403 Forbidden can be triggered by many things, and in this wiki we will show you most of them. The most important thing is to check the log files when you get the error, as they will show the cause in most cases.

Generally, it is not LiteSpeed Web Server causing 403 issues. Most of the time, the error is related to a permission issue, configuration restriction, security settings, mod_security etc.

If you use a control panel like cPanel, you can try to switch to Apache and see if the error continues. If it happens to both Apache and LSWS, you can try the following possible tips yourself to locate the root cause. If it doesn't happen to Apache but only happens to LSWS, you can log a ticket with us to take a further look.

File/Directory Permissions

If the file or directory has the wrong permissions, you may see Error 403. Fix the premissions, and the error goes away.

Wrong File/Directory User

Make sure that the file or directory belongs to the correct user. Lets say that your public_html directory is owned by the username test, and you try to create a file index.php as user test1. That can trigger the error, as test1 will not have permission to read the file or the directory.

Deny From .htaccess File

Your .htaccess may have code like this:

deny from all

or

deny from <your ip address>

This means that access for the website is denied for everyone, or just from your IP address, respectively. You can simply remove or comment the line out with #.

Rewrite rule forbidden

If you have something similar to the following rewrite rules, it may return 403 borbidden.

RewriteCond (SOMECONDITION)
RewriteRule ^(.*)$ – [F,L]

Indexes

Directory indexing may be preventing a list of the files for the directory, but if you do not have an index file (index.php, index.html, etc.) and the autoindex option is ON that will return error 403.

If you have this line in the .htaccess file:

Options -Indexes

Remove the line, or turn autoindex on:

Options +Indexes

Problem/Missing PHP Handler

If the PHP handler is not setup correctly, the web server will return error 403. This will be shown in the server error log file and you will need to check it for more information. After that, create the correct PHP handler to resolve the issue.

File Restriction

In Litespeed WebAdmin > Configuration > Server > Security there is an option called Restricted Permission Mask. If you set this to a high value like 644, you will get error 403 for your pages.

To resolve it you need to lower the value.

Mod Security/WAF/fail2ban/CPHulk

Depending on what and how many requests you are doing for a particular website, the firewall can block you. In most cases your IP address will be denied in the system firewall (iptables, firewalld etc) and you need to remove your IP address in order to avoid the error.

Throttling

Similar to the previous case - if you have strict throttling rules and you make too many connections, that can trigger error 403.

GeoIP/IP2Loc or Similar Modules

If GeoIP or IP2Loc is allowed, they can block access to files like wp-login (wp-admin). In this case you need to allow them access in order to avoid the error.

Error 403 in LiteSpeed WebAdmin

There is an option to restrict access to the WebAdmin. If you forget to add your IP address, or if it changes, you can edit it from the configuration file in /usr/local/lsws/admin/conf/admin_config.xml:

Put your IP address in the allow list. For multiple IP addresses it looks like this:

<allow>XXX.XXX.XXX.XXX, XXX.XXX.XXX.XXX</allow>

Additional Information

The best way to diagnose and resolve that error is to check the system configuration, website configuration and the error logs. If you are unsure what is the correct configuration for some option that is triggering error 403, you can check the wiki for that option.